Networking

Create an IPSec tunnel directly to a remote Windows server

Creating an IPSec tunnel directly to a remote Windows 2000 or 2003 server has its benefits. Learn about the details of making this type of secure connection.
Most network administrators who work with routers are familiar with creating IPSec tunnels between routers for WAN links. However, it's also possible to create an IPSec tunnel directly to a remote Windows 2000 or 2003 server.

While this isn't a common task for system administrators, it does offer benefits. Let's delve into the details of creating this type of secure connection.

Configure the server

Configuring the server for inbound and outbound communications is relatively simple. Follow these steps:

  1. Log on to the server with an account that has local administrative privileges.
  2. Go to Start | Run, and enter secpol.msc.
  3. Right-click IP Security Policies On Local Machine, and select Create IP Security Policy. This launches the IP Security Policy Wizard.
  4. Click Next. In the IP Security Policy Name section, name the new policy (a typical convention is to use the name of the site to which the policy will connect), and enter the policy's purpose in the Description text box.
  5. In the Request For Secure Communication section, leave the Activate The Default Response Rule check box selected. This ensures that the server responds to IPSec requests with this rule when no other rule is present.
  6. In the Default Response Rule Authentication section, click the bottom radio button, and enter the preshared key that you'll enter on the router that will make this VPN connection. This key must be exactly identical to what you enter on the VPN router. The recommended length is more that seven characters and/or numbers.
  7. Click Next, and click Finish to close the IP Security Policy Wizard.

Add rules for the tunnel

The properties for your IPSec policy will now appear. To begin editing the properties of the IPSec tunnel, follow these steps:

  1. Click Add, and click Next to launch the Security Rule Wizard.
  2. In the Tunnel Endpoint section, specify the tunnel end point IP address (the remote router's external IP address), and click Next.
  3. In the Network Type section, choose Local Area Network (LAN), and click Next. (If you're using Windows Server 2003, skip to Step 5.)
  4. In the Authentication Method section, enter the preshared key (the same key you entered before), and click Next.
  5. In the IP Filter List section, select All IP Traffic (unless you want to define the specific ports and protocols), and click Next.
  6. In the Filter Action section, create a filter action by clicking Add and choosing Next, which launches the Filter Action Wizard.
  7. Name the filter (e.g., Filter-Policy Name), and click Next.
  8. In the Filter Action General Options section, select Negotiate Security, and click Next.
  9. In the Communicating With Computers That Do Not Support IPSec section, leave the Do Not Communicate With Computers That Do Not Support IPSec check box selected. (Don't allow unsecure communication to your internal server; this could be a spoofed connection that doesn't have the correct crypto policy.) Click Next.
  10. In the IP Traffic Security section, select Custom, and click Settings.
  11. Make sure you've selected the Data Integrity And Encryption (ESP) check box.
  12. Select MD5 from the Integrity Algorithm drop-down list, and choose DES from the Encryption Algorithm drop-down list.
  13. Choose Session Key Settings, and select the Generate A New Key Every 3600 Seconds check box.
  14. Click OK, click Next, and click Finish.
  15. In the Filter Action section, select the filter action you just created, and select Next. (If you're using Windows Server 2003, enter the preshared key here, and click Next.)
  16. Click Finish, click OK, and click Close.

This process creates the IPSec tunnel rule. Once you've configured the router, right-click the security policy you created, and select Assign.

Final thoughts

Protecting communications from an internal server to an external network is easy using IPSec between the two networks. It's simply a matter of properly configuring both the router and the servers.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

2 comments
bhargavpandya
bhargavpandya

any which ways we are not going to open our server directly to the internet without the firewall.. and when this can be achieved easily through the firewall then Y we need Windows IPsec to function... This is helpful if we need our internal users to work over IPsec... Also if we need to develop something like teamviewer applications..Where software based VPN will be highly useful.. .. Also would like to know how will i configure the client to connect to this setup.. I mean dynamic clients without static ip's

cyberpsych1
cyberpsych1

I'm not knocking this article because I've had users ask if this was possible. My question is can someone post the benefits of this configuration? I'm curious to see the thoughts... Jay